{
	"id": "357b8ee2-cea5-4a9b-895c-4b3c4d977f1b",
	"created_at": "2026-04-06T00:18:15.586307Z",
	"updated_at": "2026-04-10T03:21:53.602806Z",
	"deleted_at": null,
	"sha1_hash": "ba4cf3ed88f38ad448e92261d910de2cfedb1d8c",
	"title": "[Mal Series #13] Darkside Ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3816484,
	"plain_text": "[Mal Series #13] Darkside Ransom\r\nBy GhouLSec\r\nPublished: 2021-05-01 · Archived: 2026-04-05 20:06:54 UTC\r\nHere is my analysis of the Darkside ransomware.\r\nWill attach more screenshot regarding of my analysis this time 😏\r\nDidn’t connect to the C2 during the analysis\r\nDynamically Resolve Windows API\r\nPress enter or click to view image in full size\r\nElevate Privilege (If running in Non-Admin privilege)\r\nUtilizing COM bypass UAC privilege (When Access Token Method Failed)\r\nElevation:Administrator!new:%s\r\nGet access token from admin process (e.g. Explorer.exe)\r\nPress enter or click to view image in full size\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 1 of 14\n\nAdjust Privilege Token\r\nHash Generation File Extention, Mutex, Victim’s ID\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 2 of 14\n\nInside gen_hash_val\r\nPress enter or click to view image in full size\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 3 of 14\n\nPress enter or click to view image in full size\r\nGenerator Mutex String\r\nPress enter or click to view image in full size\r\nVictim ID: Get first 10 bytes from CRC32 block of Machine GUID\r\nFile Drop\r\nDrop ransomware icon file in %APPDATA% and create Regkey for it.\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 4 of 14\n\nCreate File -\u003e RegCreateKey -\u003e RegSetValueExW\r\nService Enumeration and Delete\r\nEnumerate and compare with these services,\r\nvss,sql,svc$,memtas,mepocs,sophos,veeam,backup\r\nIf found then delete the service.\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 5 of 14\n\nGather Victim Info\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 6 of 14\n\nVictim’s info gather function\r\nOutput of Victim’s Info\r\nGet DriverType \u0026 Size\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 7 of 14\n\nFormat “\u003cDrive Name\u003e:\u003cRemaining Disk Space\u003e/\u003cTotal Disk Space\u003e” e.g. C:30/50\r\nLanguage\r\nHKCU = HKEY_CURRENT_USER = 0x80000001 Details\r\nHKCU/Control Panel/Desktop/MuiCached/MachinePreferredUILanguage\r\nEncrypt Victim’s Info\r\nPress enter or click to view image in full size\r\nEncryption Routine: Encrypt 8 bytes for one function call\r\nPress enter or click to view image in full size\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 8 of 14\n\nEncryption Key maybe? 🤔\r\nURL Path Generator\r\nPress enter or click to view image in full size\r\nURL Path Generator function\r\nPress enter or click to view image in full size\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 9 of 14\n\nPseudo Random\r\nPsuedo random generator similar with srand code\r\nInternet connection\r\nsecurebestapp20[.]com/\u003cURL Path Generator\u003e\r\nEncrypted Powershell runs “delete shadow copy”\r\nPress enter or click to view image in full size\r\nOk, bye shadow copy\r\nSalsa session key generation \u0026 RSA encryption on Salsa session key\r\nThe session key generated from the RtlRandomEx function which feeds with a hard coded seed value. The when\r\nthe length == 5 it will leave 0 bytes there. (Refer to “Custom Salsa key state arrangement”)\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 10 of 14\n\nSalsa session key generator\r\nRtlRandomEx inside wrap_random_ex()\r\nFlow of the keygen -\u003e rsa encrypt -\u003e crc -\u003e result buffer copy\r\nHow to identify Salsa encryption algorithm?\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 11 of 14\n\nGet GhouLSec’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFound these pattern inside the code instead of its constant.\r\nb ^= (a + d) \u003c\u003c\u003c 7;\r\nc ^= (b + a) \u003c\u003c\u003c 9;\r\nd ^= (c + b) \u003c\u003c\u003c 13; (0xd in Hex)\r\na ^= (d + c) \u003c\u003c\u003c 18; (0x12 in Hex)\r\nYay, same pattern 🤗\r\nLet’s check out the key generated. Hmm… There is no constant found for the Salsa Key generated.\r\nCustom Salsa key state arrangement\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 12 of 14\n\nDefault Salsa key state arrangement\r\nUsually “expa”, “nd 3”, “2-by”, “te k” were seen in Salsa implementation but this seems like a custom one.\r\nRSA Public Ley Encryption\r\nHow to determine RSA?\r\nKnowing the exponential (010010h LE) (10001h BE)\r\nGuessing the Exponential function (Here is good explanation regarding to the RSA algo)\r\nBefore RSA encryption\r\nAfter RSA encryption\r\nAs for details like exponential and modulo function, I still cant figure it out yet. However, feels like the rcl ,\r\nsbb and adc plays an important role both exponential and modulo operation. Maybe someone can figure this\r\nout. 🤔\r\nGenerates 16 bytes block hash by using RtlComputeCrc32.\r\n16 bytes CRC32 block from Encrypted Salsa Key\r\nAfter encrypted the byte. It will append the byte with the encrypted key and its CRC32 hash.\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 13 of 14\n\nEncrypted file format\r\nExcluded Folder, File and Extension\r\n$recycle.bin config.msi $windows.~bt $windows.~ws windows appdata application data boot google\r\nmozilla program files program files (x86) programdata system volume information tor browser\r\nwindows.old intel msocache perflogs x64dbg public all users default\r\nautorun.inf boot.ini bootfont.bin bootsect.bak desktop.ini iconcache.db ntldr ntuser.dat\r\nntuser.dat.log ntuser.ini thumbs.db\r\n386 adv ani bat bin cab cmd com cpl cur deskthemepack diagcab diagcfg diagpkg dll drv exe hlp icl\r\nicns ico ics idx ldf lnk mod mpa msc msp msstyles msu nls nomedia ocx prf ps1 rom rtp scr shs spl sys\r\ntheme themepack wpx lock key hta msi pdb\r\nRansomnote\r\nPress enter or click to view image in full size\r\nSha256\r\nafb22b1ff281c085b60052831ead0a0ed300fac0160f87851dacc67d4e158178\r\nReferences:\r\nBuy me a Pizza 🍕?\r\nSource: https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nhttps://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6"
	],
	"report_names": [
		"mal-series-13-darkside-ransomware-c13d893c36a6"
	],
	"threat_actors": [],
	"ts_created_at": 1775434695,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba4cf3ed88f38ad448e92261d910de2cfedb1d8c.pdf",
		"text": "https://archive.orkl.eu/ba4cf3ed88f38ad448e92261d910de2cfedb1d8c.txt",
		"img": "https://archive.orkl.eu/ba4cf3ed88f38ad448e92261d910de2cfedb1d8c.jpg"
	}
}